Update enforcer for mTLS priority implementation

wso2 · Jan 16, 2024 · 74a2343 · 74a2343
1 parent 14533a5
commit 74a2343
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 5 deletions.
diff --git a/...forcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/AuthFilter.java b/...forcer/org.wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/AuthFilter.java
@@ -195,15 +195,15 @@ private AuthenticationResponse authenticate(Authenticator authenticator, Request
                                 requestContext.getMatchedResourcePaths().get(0).getPath(),
                                 requestContext.getMatchedAPI().getName(), requestContext.getMatchedAPI().getVersion(),
                                 requestContext.getMatchedAPI().getUuid());
-                        return new AuthenticationResponse(false, true, false);
                     } else {
                         log.debug("Optional mTLS authentication was failed for the request: {} , API: {}:{}, " +
                                 "APIUUID: {} ",
                                 requestContext.getMatchedResourcePaths().get(0).getPath(),
                                 requestContext.getMatchedAPI().getName(), requestContext.getMatchedAPI().getVersion(),
                                 requestContext.getMatchedAPI().getUuid());
-                        return new AuthenticationResponse(false, false, true);
                     }
+                    return new AuthenticationResponse(false, isMutualSSLMandatory, false);
+
                 }
                 // for all authenticators other than mTLS
             } else if (authenticate.isAuthenticated()) {
@@ -215,7 +215,7 @@ private AuthenticationResponse authenticate(Authenticator authenticator, Request
             FilterUtils.setErrorToContext(requestContext, e);
         }
         boolean continueToNextAuth = true;
-        if (authenticator.getName().contains(APIConstants.API_SECURITY_MUTUAL_SSL_NAME) && isMutualSSLMandatory) {
+        if (authenticator.getName().contains(APIConstants.API_SECURITY_MUTUAL_SSL_NAME)) {
             continueToNextAuth = false;
         }
         return new AuthenticationResponse(false,

diff --git a/test/cucumber-tests/src/test/resources/tests/api/MTLSwithOAuth2Optional.feature b/test/cucumber-tests/src/test/resources/tests/api/MTLSwithOAuth2Optional.feature
@@ -83,7 +83,7 @@ Feature: Test mTLS between client and gateway with client certificate sent in he
         When I undeploy the API whose ID is "mtls-optional-oauth2-optional"
         Then the response status code should be 202
 
-    Scenario: Test optional mTLS and optional OAuth2 with an invalid client certificate in header
+    Scenario: Test optional mTLS and optional OAuth2 with an invalid client certificate and invalid token in header
         Given The system is ready
         And I have a valid token with a client certificate "invalid-cert.txt"
         When I use the APK Conf file "artifacts/apk-confs/mtls/mtls_optional_oauth2_optional.apk-conf"
@@ -92,12 +92,28 @@ Feature: Test mTLS between client and gateway with client certificate sent in he
         Then the response status code should be 200
         Then I set headers
             | X-WSO2-CLIENT-CERTIFICATE | ${clientCertificate} |
+            | Authorization             | bearer {accessToken} |
         And I send "GET" request to "https://default.gw.wso2.com:9095/mtls/3.14/employee/" with body ""
         And I eventually receive 401 response code, not accepting
             | 200 |
+        When I undeploy the API whose ID is "mtls-optional-oauth2-optional"
+        Then the response status code should be 202
+
+    Scenario: Test optional mTLS and optional OAuth2 with an invalid client certificate and valid token in header
+        Given The system is ready
+        And I have a valid token with a client certificate "invalid-cert.txt"
+        When I use the APK Conf file "artifacts/apk-confs/mtls/mtls_optional_oauth2_optional.apk-conf"
+        And the definition file "artifacts/definitions/employees_api.json"
+        And make the API deployment request
+        Then the response status code should be 200
         Then I set headers
             | X-WSO2-CLIENT-CERTIFICATE | ${clientCertificate} |
-            | Authorization             | bearer invalidToken  |
+        And I send "GET" request to "https://default.gw.wso2.com:9095/mtls/3.14/employee/" with body ""
+        And I eventually receive 401 response code, not accepting
+            | 200 |
+        Then I set headers
+            | X-WSO2-CLIENT-CERTIFICATE | ${clientCertificate}  |
+            | Authorization             | bearer ${accessToken} |
         And I send "GET" request to "https://default.gw.wso2.com:9095/mtls/3.14/employee/" with body ""
         And I eventually receive 401 response code, not accepting
             | 200 |